[00:15.720 --> 00:17.840]  You're looking at the side of my head.
[00:18.020 --> 00:19.680]  Everything's kind of weird and purple.
[00:19.680 --> 00:21.040]  Does it show up the same way for you?
[00:21.060 --> 00:23.100]  You're looking at the side of my head.
[00:23.400 --> 00:24.900]  Everything's kind of weird and purple.
[00:24.900 --> 00:26.340]  Does it show up the same way for you?
[00:26.660 --> 00:27.460]  Mute.
[00:37.470 --> 00:38.270]  Awesome.
[00:39.470 --> 00:42.750]  All right, well, it is 9.30,
[00:42.750 --> 00:46.850]  so we can get started with the first Q&A of the day
[00:46.850 --> 00:49.010]  here at DEF CON Safe Mode.
[00:49.010 --> 00:50.030]  My name is PLiberty9.
[00:50.030 --> 00:52.870]  I'm here with my fellow goon, Fallible.
[00:52.870 --> 00:53.770]  Hey, Fallible.
[00:54.210 --> 00:55.170]  Greetings.
[00:55.690 --> 00:59.150]  And we are also here with our first speaker of the day.
[00:59.150 --> 01:01.090]  We are here with Feng Xiao,
[01:01.090 --> 01:02.790]  who is going to answer your questions
[01:02.790 --> 01:04.530]  all about his presentation,
[01:04.530 --> 01:09.470]  Discovering Hidden Properties to Attack the Node.js Ecosystem.
[01:09.470 --> 01:10.570]  Hey, Feng, how's it going?
[01:10.570 --> 01:11.210]  Hi.
[01:11.210 --> 01:12.110]  Hi, good.
[01:12.110 --> 01:13.210]  How are you guys?
[01:13.210 --> 01:14.570]  We're doing great.
[01:14.570 --> 01:15.890]  It's awesome to have you here.
[01:15.890 --> 01:17.310]  Watched your presentation.
[01:17.310 --> 01:19.210]  You did an incredible job with that.
[01:19.210 --> 01:22.030]  Highly recommend that people go check that out.
[01:22.030 --> 01:24.490]  It's available on YouTube.
[01:24.490 --> 01:27.070]  DEF CON has those videos up.
[01:27.350 --> 01:30.530]  And you can also ask questions to Feng
[01:30.530 --> 01:35.950]  on the Discord channel at the TrackOneLiveQA channel.
[01:35.950 --> 01:39.130]  So yeah, we have a few questions that are coming in,
[01:39.130 --> 01:42.830]  so we can ask him some of those questions.
[01:43.330 --> 01:44.210]  Let's see.
[01:44.210 --> 01:45.610]  Let me actually start with one.
[01:45.610 --> 01:47.370]  Let me get this one out there as a start.
[01:47.370 --> 01:50.730]  So this is not your first time presenting at DEF CON, is it?
[01:50.730 --> 01:53.990]  So how many times have you given DEF CON presentations?
[01:55.050 --> 01:58.070]  Okay, so before the SIGMO talk,
[01:58.070 --> 02:00.470]  I only came to DEF CON once,
[02:00.470 --> 02:04.170]  and that is my first time SIGMO talk.
[02:04.170 --> 02:06.710]  It's in 2018.
[02:07.010 --> 02:11.510]  So in that talk, I present some new vulnerabilities
[02:11.510 --> 02:15.610]  that I discussed in software-defined networks.
[02:15.850 --> 02:19.330]  So this is actually my second time at DEF CON.
[02:20.310 --> 02:24.650]  That's fantastic, and we're really glad you decided to come back and join us again.
[02:25.550 --> 02:31.090]  Somebody was trying to ask if we were going to do first-time rituals with you,
[02:31.090 --> 02:34.810]  but we don't have to, because you're an old hat with this.
[02:35.910 --> 02:38.050]  You've already done that, so that's awesome.
[02:39.070 --> 02:42.350]  Let's see, we've got some questions coming in yet.
[02:42.370 --> 02:46.310]  Feng, one of the questions that we were kind of wondering about
[02:46.310 --> 02:50.450]  with your research that you did on the node.js ecosystem
[02:51.970 --> 02:56.830]  is what type of people should use the tool that you released?
[02:56.950 --> 02:59.530]  I know you mentioned the tool in your presentation.
[02:59.530 --> 03:01.790]  Maybe you want to mention that a little bit,
[03:01.790 --> 03:04.730]  and what kind of people should be using that sort of thing?
[03:05.790 --> 03:11.170]  Yeah, so this is... according to our research,
[03:11.170 --> 03:14.890]  we found this is kind of widespread problems,
[03:14.890 --> 03:20.290]  and many Git report or PM project has this problem.
[03:20.290 --> 03:24.970]  So we believe that there are two kinds of people that may want to use this tool.
[03:24.990 --> 03:30.790]  The first kind of people is about the developers.
[03:30.850 --> 03:33.650]  I believe they can use this tool to detect
[03:33.650 --> 03:39.470]  their own software, so that they can catch and discover
[03:39.470 --> 03:43.570]  all these hidden properties before they release a version.
[03:43.770 --> 03:48.190]  And a second type of people that we think can use this tool
[03:48.190 --> 03:53.450]  is some white hats, pen testers, or hackers.
[03:53.450 --> 03:57.810]  When they want to do some security analysis,
[03:57.810 --> 04:01.810]  maybe they can use this tool to detect some vulnerabilities
[04:01.810 --> 04:04.850]  or problems within their targets.
[04:05.070 --> 04:05.570]  Yes.
[04:06.030 --> 04:08.010]  Excellent. All right.
[04:09.310 --> 04:13.950]  Sorry, people have noticed that we're a little bit weird on our adjustments.
[04:13.950 --> 04:15.910]  We're trying to get that fixed as we go.
[04:16.330 --> 04:18.890]  Enjoy the testing and production. Sorry about that, folks.
[04:20.310 --> 04:21.410]  Yeah, for sure.
[04:22.790 --> 04:23.830]  Let's see.
[04:24.050 --> 04:29.370]  So, also, Feng, one of the things that you mentioned in the presentation
[04:29.370 --> 04:33.390]  where you had this discovery in Node.js,
[04:33.390 --> 04:37.610]  you also referenced Ruby on Rails and PHP.
[04:38.130 --> 04:42.030]  So, does it exist in those languages and platforms?
[04:42.030 --> 04:44.410]  And could it exist possibly in others?
[04:44.410 --> 04:49.250]  Should people try to go find this same vulnerability in other platforms?
[04:49.670 --> 04:51.470]  Okay, thanks for the question.
[04:51.470 --> 04:57.050]  So, as you guys have already observed in my presentations,
[04:57.050 --> 05:05.160]  the root cause of those vulnerabilities mainly comes from object sharing.
[05:05.670 --> 05:09.790]  So, if a language platform has such a feature,
[05:09.790 --> 05:15.190]  or some applications are using some kind of object sharing,
[05:15.190 --> 05:17.590]  then they could have a problem there.
[05:17.590 --> 05:22.530]  But why we are studying Node.js here is because
[05:22.530 --> 05:27.530]  to use the language, the flexibilities of JavaScript,
[05:28.190 --> 05:31.170]  the object, it can be really flexible.
[05:31.170 --> 05:39.890]  So, this empowers the hackers to propagate a lot of bad things into the programs.
[05:39.890 --> 05:42.750]  So, that's why we are studying Node.js.
[05:42.750 --> 05:50.790]  And we believe maybe there are other problems that are not discovered yet.
[05:50.790 --> 05:59.030]  But I think it is really a good direction to also explore this in other languages as well.
[05:59.710 --> 06:00.670]  Excellent.
[06:01.390 --> 06:05.770]  Alright, checking for some more questions from the audience.
[06:06.730 --> 06:08.830]  Here, I'll check for questions.
[06:08.850 --> 06:13.830]  Blavrty, would you see if you can get him, get that video up just a little bit higher too?
[06:13.830 --> 06:14.630]  Yeah, I think...
[06:14.630 --> 06:19.690]  One thing, I'm going to turn my camera off and just see if that bumps him up.
[06:20.130 --> 06:21.610]  I'm going to try the same.
[06:32.000 --> 06:34.900]  Oh yeah, now we are looking at who we want to actually see.
[06:34.900 --> 06:37.320]  Right, exactly. No one wants to see our faces.
[06:42.430 --> 06:43.230]  Alright.
[06:45.150 --> 06:49.810]  Cool, okay, back over. Let's see what else the community has to say.
[06:51.690 --> 06:52.610]  Okay.
[06:53.510 --> 06:58.350]  So yeah, Deadly Cob wants to know, when will the tool be released?
[06:58.350 --> 07:03.830]  He says, or this person says, they are only seeing a coming soon on the repo at the moment.
[07:04.610 --> 07:06.210]  Okay, yeah, thanks for the question.
[07:06.210 --> 07:10.090]  So that is one thing that I would like to mention in the Q&A.
[07:10.270 --> 07:15.530]  So, for now, as you guys may have observed from the presentations,
[07:15.530 --> 07:21.770]  there are several components in my talk, in the tools.
[07:22.050 --> 07:29.090]  And honestly, from the perspective of user experience, it's not that well designed,
[07:29.090 --> 07:32.570]  so you have to print and type in some kind to use it.
[07:32.570 --> 07:37.290]  So what we are doing now is, first, we are cleaning up the project code,
[07:37.290 --> 07:41.730]  and also we are making documents for it.
[07:41.730 --> 07:50.830]  So probably a short answer is that we are going to release it no later by the end of August.
[07:50.910 --> 07:54.070]  Oh, excellent. So that's great to hear.
[07:54.970 --> 08:00.150]  Alright, let's see that. Okay, cool.
[08:00.730 --> 08:10.390]  Let's see, who else do we have on there that wants to ask questions of our first speaker?
[08:10.390 --> 08:13.170]  Yeah, when an OK text is coming in,
[08:13.170 --> 08:18.150]  would it be possible to talk more about the differences between HPA and prototype pollution?
[08:18.730 --> 08:21.430]  Okay, cool, thanks. Thanks for the question.
[08:21.430 --> 08:31.250]  And so, for prototype pollution in JavaScript,
[08:31.250 --> 08:37.150]  we are talking about some kind of a text that tempers the prototype object,
[08:37.150 --> 08:41.530]  which is a special type of object in the JavaScript languages.
[08:41.930 --> 08:45.910]  However, in our attack, that is not our target.
[08:46.030 --> 08:54.970]  For example, in our attack, we are tying some user application-specific attributes or something else.
[08:54.970 --> 09:02.770]  And also, you may already see, as you may already heard from my presentations,
[09:02.770 --> 09:06.530]  we have something that is closely related to the prototype,
[09:06.530 --> 09:10.610]  but it's not about modifying the prototype.
[09:10.610 --> 09:16.830]  Instead, we are trying to forge some attributes that can be found on the prototype
[09:16.830 --> 09:19.790]  and hijack the inheritance chain.
[09:19.790 --> 09:26.790]  So, yes, there is a big difference between HPA and prototype pollution.
[09:27.130 --> 09:31.390]  Excellent. Thanks for that question, OKTux.
[09:31.390 --> 09:35.510]  All right. Let's see.
[09:37.310 --> 09:41.070]  And I know sometimes when you give a presentation,
[09:41.070 --> 09:44.370]  I know from experience that sometimes you have to kind of leave things out,
[09:44.370 --> 09:47.230]  that you really want to focus on the main issues.
[09:47.230 --> 09:52.910]  Was there any kind of like extra tips or extra things that if you had more time,
[09:52.910 --> 09:56.370]  that you might have included anything else that maybe people can think about
[09:56.370 --> 09:59.250]  with regard to the vulnerabilities that you found,
[09:59.250 --> 10:02.910]  or anything else that they can kind of think about around your research?
[10:03.630 --> 10:12.750]  Yeah, so due to the time constraint, we always have to remove some very interesting things from the talk.
[10:12.750 --> 10:21.350]  And to be honest, if I have time, I really want to case study every vulnerability within the research,
[10:21.350 --> 10:24.770]  because that's what people are maybe expecting,
[10:24.770 --> 10:29.790]  and I think those probabilities are really interesting.
[10:29.890 --> 10:35.310]  So my answer is the first thing that I come up with when I want to add more to it,
[10:35.310 --> 10:38.410]  it is about those vulnerability case studies.
[10:39.470 --> 10:44.130]  Excellent. Is there anything that maybe other people who enjoyed your research
[10:44.130 --> 10:49.150]  could also kind of dig in and take a look at and possibly look for as well?
[10:49.490 --> 10:53.870]  So I know a lot of times people just want to kind of add on to research that they find,
[10:53.870 --> 10:58.530]  and they're like, that's really great stuff, maybe I can find the next thing with that.
[10:58.530 --> 11:04.170]  When you were doing your research, did you have other ideas of things that maybe you didn't have time to look into,
[11:04.170 --> 11:07.290]  and maybe other people would have time to kind of help out with?
[11:08.790 --> 11:16.330]  Yeah, so I think I can share with you some ideas about Node.js.
[11:16.350 --> 11:23.550]  So for Node.js, I found a lot of interesting applications.
[11:23.550 --> 11:32.790]  For example, I found that many applications are now deployed in the serverless platform.
[11:33.210 --> 11:36.370]  So I think that could be an interesting direction.
[11:36.850 --> 11:45.190]  Yes, so this is kind of a new environment, different from the traditional server environments.
[11:45.390 --> 11:52.430]  And there's a lot of Node.js programs running in the serverless platform.
[11:52.430 --> 11:55.930]  So yeah, maybe that could be one interesting direction.
[11:55.930 --> 12:00.670]  And maybe somebody can hear my thoughts.
[12:00.670 --> 12:05.390]  Maybe they can come up with some great ideas and present them in next year's DevCon.
[12:05.390 --> 12:07.730]  And I will be happy to see that.
[12:09.510 --> 12:12.250]  That's excellent. All right.
[12:13.530 --> 12:18.050]  Looking for more questions that people have for you here.
[12:27.930 --> 12:32.830]  As we all attempt to figure out our settings here.
[12:32.830 --> 12:40.770]  Thank you everybody, and especially Bung for joining us for this chaos of figuring out how to get this stream to work properly.
[12:40.770 --> 12:43.030]  You're our first guinea pig.
[12:43.570 --> 12:51.910]  And thank you everybody in the stream chat telling us some suggestions of how to fix stuff.
[12:52.490 --> 12:56.330]  We'll also go in and see if we can kill our Discord notification noises.
[13:09.490 --> 13:12.610]  So Bung, do you have any other thoughts about...
[13:13.150 --> 13:24.570]  I know that you kind of hit this already, but is there anything in the talk that you would have liked to have included, but you didn't get a chance to give to us in your presentation so far?
[13:26.510 --> 13:31.090]  So, there's a lot of details, right?
[13:31.570 --> 13:39.790]  You know, I researched for a large project. Actually, I have been working on this project for almost about one year.
[13:39.790 --> 13:43.850]  So there's a lot of details and things I would like to add to it.
[13:43.850 --> 13:49.670]  Actually, a good thing about that is we are going to release our code, right?
[13:49.670 --> 13:54.910]  So many people can know a lot of details about our research.
[13:55.750 --> 14:02.750]  Also, we have the time to release our white paper, and I have been working on it for a while.
[14:02.890 --> 14:12.170]  So, if it is possible, I can also share my Twitter account.
[14:12.230 --> 14:18.650]  So maybe people who are interested in this research can follow me, or I can also follow back.
[14:18.650 --> 14:27.410]  And I will update the status of this work when I release something new.
[14:28.890 --> 14:33.330]  That's a good idea. I'm sure there's a lot of people who would be interested in knowing more about that.
[14:33.330 --> 14:38.430]  And good work. We'll make sure we get that out to anybody who wants to see it.
[14:38.430 --> 14:43.090]  Actually, we'll probably post that in the TrackOne channel.
[14:44.850 --> 14:48.270]  So I'll get that in there while we keep chatting.
[14:58.690 --> 15:04.230]  Alright, so you told us some of what you've been working on. You told us what you're aiming at to do next.
[15:06.510 --> 15:13.670]  It sounds like you're open for more people to come up with other thoughts and some other research directions for you.
[15:13.990 --> 15:19.470]  I'm sure I would like to know, and I'm sure some other folks would like to know as well,
[15:19.470 --> 15:26.930]  are you open for... I guess I'm not sure exactly where I was trying to go on that one.
[15:26.930 --> 15:35.630]  Other than, if people want to come to you and talk about this further, you've given them your Twitter.
[15:38.550 --> 15:43.950]  There's a... well, let me step back. I'll think of my question a little bit harder and come up with another one.
[15:43.950 --> 15:52.850]  In the meantime, tell us more about how you came upon this research.
[15:54.510 --> 15:59.370]  Oh, you mean how do I discover all these things, right?
[16:02.230 --> 16:03.190]  Please.
[16:04.190 --> 16:12.670]  Yeah, so the process I discovered this vulnerability is kind of like...
[16:12.670 --> 16:22.150]  since I'm enjoying eyeballing the source codes of an open source project to discover vulnerabilities.
[16:22.150 --> 16:30.650]  So when I take a look at some of my targets, I kind of discover some properties that's kind of like...
[16:30.650 --> 16:43.210]  okay, it seems that I can modify them, but there's no document, API documentation mentioned about them.
[16:43.210 --> 16:47.470]  So that's why I just try to include those properties.
[16:47.470 --> 16:56.110]  And in terms of that, yes, I can override those original values and do something bad.
[16:56.110 --> 17:01.970]  This is just the very beginning of our multi-making cases of that.
[17:01.970 --> 17:05.390]  So that's why we come up with our new tools.
[17:07.510 --> 17:09.110]  That's an interesting way.
[17:09.110 --> 17:17.070]  So it sounds like then you spend a certain amount of your time as you're doing whatever your day job is,
[17:17.070 --> 17:19.910]  hunting around and finding ways that things are broken.
[17:19.910 --> 17:25.530]  So can you give us a little bit more thought into some of the other folks who are coming up
[17:25.530 --> 17:32.250]  and working on their own projects.
[17:32.250 --> 17:36.770]  How do you identify when you are finding something that would be a good DEF CON talk?
[17:36.770 --> 17:40.690]  How do you identify something that you'd like to pursue further?
[17:41.410 --> 17:43.630]  Okay, thanks for the question.
[17:43.630 --> 17:53.210]  So I would say, yeah, I have some thoughts about how to make a DEF CON talk or Black Hat talk like that.
[17:53.210 --> 17:59.330]  So for me, if I can find some results or some new findings,
[17:59.330 --> 18:04.370]  which I think, first, this can be used in some real-world settings.
[18:04.370 --> 18:09.150]  For example, if I found some vulnerabilities that is exploitable in the production environment,
[18:09.150 --> 18:13.910]  I would say, yes, this could be some DEF CON or Black Hat talk.
[18:14.390 --> 18:22.430]  And also, if you really think this is a widespread or widely seen problem,
[18:22.430 --> 18:30.790]  maybe you should consider building something, some tools or at least some screens,
[18:30.790 --> 18:42.790]  so that people can use your tools or use your things and make all the process of discovering vulnerabilities easier.
[18:42.790 --> 18:46.610]  Yes, so that's two things I think could be useful.
[18:46.610 --> 18:52.710]  I like that. So you're starting small and you're building up things that are potentially useful.
[18:52.710 --> 18:56.910]  And then once you have small things that you can start to release,
[18:57.210 --> 19:03.790]  you start to build a community around that, build additional motivation, additional activity.
[19:04.530 --> 19:05.810]  Yeah.
[19:06.150 --> 19:12.470]  Yeah, I think also it's great to point out one of the points that Phuong just made.
[19:12.470 --> 19:17.530]  When you start thinking about what is going to be good research and showing it around,
[19:17.530 --> 19:22.790]  I know a lot of times people think like, this is not really interesting to anybody else but me,
[19:22.790 --> 19:27.490]  and it's not going to make a great talk anywhere. And I know a lot of people have that kind of thought.
[19:27.490 --> 19:33.650]  And my experience has always been that there's definitely other people that want to hear your research,
[19:33.650 --> 19:38.850]  and that you should definitely try to share that kind of information and research anywhere you can.
[19:38.850 --> 19:43.790]  So that was a great point that Phuong was making up, giving to us there.
[19:43.790 --> 19:49.170]  There is also another question for you here that seems interesting from Soft Tortilla,
[19:49.170 --> 19:55.950]  that wants to know, can you elaborate on the expected difficulty of getting those 12 CVEs patched?
[19:55.950 --> 19:59.210]  Do you think there's going to be much difficulty with getting those fixed?
[20:00.010 --> 20:02.370]  Oh, that's an interesting question. Yes.
[20:02.370 --> 20:08.250]  So for the vulnerability patching process, I do have some words to share with you guys.
[20:08.250 --> 20:14.990]  So, yes, at the very beginning, I found that people are not expecting those vulnerabilities.
[20:15.310 --> 20:22.090]  And they just think that, OK, so this seems like some minor issues, I don't want to patch it.
[20:22.630 --> 20:29.530]  But things go very differently after all my research proceed.
[20:29.530 --> 20:39.350]  So I found more and more, and many people in the industry, companies start to look at these problems.
[20:39.370 --> 20:43.270]  And after things become in these ways, things change.
[20:43.270 --> 20:51.870]  For example, there are some commercial scanners starting to alert such vulnerabilities.
[20:51.870 --> 21:03.090]  And some vendors who previously declined to patch those bugs have to patch them now.
[21:03.090 --> 21:09.630]  Because those vulnerability scanners start to say something like,
[21:09.630 --> 21:13.870]  whoa, this has vulnerabilities, you cannot use those libraries.
[21:13.870 --> 21:20.290]  So yes, this is kind of like a process that nobody knows your research, and you are kind of like nobody.
[21:20.290 --> 21:26.710]  But after you are getting more results, people are starting to look at it.
[21:26.710 --> 21:33.770]  And they will say, whoa, this is really interesting and important problems, and I want to patch it.
[21:33.770 --> 21:38.610]  Because it is already affecting our package usage.
[21:39.530 --> 21:46.130]  Excellent. And you also, at the beginning of that, mentioned that sometimes people think like,
[21:46.130 --> 21:49.470]  this isn't a big deal, so I'm not going to bother patching it.
[21:49.470 --> 21:52.710]  But for people that might not have seen your presentation yet,
[21:52.710 --> 21:57.950]  I believe that you were able to take user input, bypass protections,
[21:57.950 --> 22:02.770]  and were you able to show SQL injection during your presentation?
[22:04.830 --> 22:06.230]  Excuse me?
[22:06.270 --> 22:11.510]  And how far were you able to kind of... and how critical were the vulnerabilities
[22:11.510 --> 22:18.270]  that you were able to kind of take the exploits that you were doing in your presentation?
[22:18.270 --> 22:24.210]  Like some of the exploits that you were able to do, and how far were you able to take it?
[22:25.870 --> 22:35.910]  Yeah, so the final attack effects really depends on the type of those attack targets, right?
[22:35.910 --> 22:42.330]  So for the case study or the motivating example in our presentations,
[22:42.330 --> 22:46.710]  we are attacking some web frameworks.
[22:46.710 --> 22:52.570]  So we can build examples to demonstrate to people that, okay, you see, if we bypass this,
[22:52.570 --> 22:58.230]  if we bypass your protections, we can do something really bad.
[22:58.230 --> 23:05.930]  But for some other modules, the attack effects seems more vague,
[23:05.930 --> 23:13.250]  which means people will say, well, it seems like some minor logic bugs,
[23:15.690 --> 23:21.410]  but it turns out that those minor logic bugs also can be a really big problem
[23:22.430 --> 23:26.710]  when they are being exploited with other modules.
[23:27.150 --> 23:28.150]  Excellent.
[23:30.390 --> 23:31.710]  Let's see.
[23:32.330 --> 23:35.250]  Fallible, were you able to find any others in there?
[23:35.250 --> 23:40.610]  If not, I know that there's a couple other questions, but I wanted to see if you had one that you pulled out.
[23:40.610 --> 23:44.850]  So there are some people talking, people are asking more about this,
[23:44.850 --> 23:49.810]  something that you already answered a little bit about how you found that target.
[23:49.810 --> 23:53.710]  I do have one other slight sidetrack question.
[23:53.710 --> 23:56.170]  It says that you are a PhD student at Georgia Tech.
[23:56.170 --> 23:59.530]  Are you willing to tell us what your thesis is about?
[24:00.510 --> 24:01.590]  Oh, my thesis?
[24:01.590 --> 24:03.770]  Okay, so that is my worry.
[24:03.770 --> 24:06.700]  Okay, so I'm kind of...
[24:07.570 --> 24:08.490]  You can say no.
[24:09.330 --> 24:15.310]  I see myself as a kind of a hacker, which means whenever I find something interesting,
[24:15.310 --> 24:16.890]  I will try to hack them.
[24:16.890 --> 24:21.490]  So that's why previously I do some hacks in the software-defined networks,
[24:21.490 --> 24:25.770]  which gave people an impression that I'm working on network security.
[24:25.770 --> 24:30.870]  And now I'm attacking the Node.js, so people may think,
[24:30.870 --> 24:33.830]  okay, so you are doing some web application security, right?
[24:33.830 --> 24:41.210]  Yeah, but actually, I can tell you guys that my next goal may be in the hypervisor,
[24:41.210 --> 24:47.490]  which is I'm going to work on something else at the X86 virtualization.
[24:47.490 --> 24:52.490]  So I don't know what's going to be my thesis topic,
[24:52.490 --> 25:00.130]  because traditionally people will have a unique or unified topic for their thesis.
[25:00.130 --> 25:09.030]  But for me, it's more about hacking and building tools to detect those annoying issues.
[25:10.870 --> 25:16.810]  So you're still trying to narrow down exactly what you want your thesis to be, huh?
[25:16.810 --> 25:17.290]  Yeah.
[25:17.290 --> 25:19.090]  That's exciting.
[25:25.280 --> 25:32.160]  So Angel Ray asks, what's the biggest surprise you came across when doing this research?
[25:34.680 --> 25:40.160]  So there's a lot of moments that I think really makes me happy.
[25:40.160 --> 25:47.640]  For example, the moments I find the vulnerabilities from some widely used programs,
[25:47.640 --> 25:50.820]  such as MongoDB or something else.
[25:50.820 --> 25:54.080]  So that is some moments that make me really happy.
[25:54.080 --> 26:03.720]  And also, when I found that my talk was accepted by DevCon,
[26:03.720 --> 26:06.040]  that also made me really excited.
[26:10.710 --> 26:11.910]  Excellent.
[26:14.050 --> 26:14.970]  Okay.
[26:15.070 --> 26:16.670]  What else do we have?
[26:16.670 --> 26:21.870]  There's a lot of people in there chatting, talking some good stuff for you here, Feng.
[26:25.970 --> 26:32.290]  How about one question is that for people who haven't really done vulnerability research,
[26:32.290 --> 26:36.910]  what's your advice on how somebody can pick a target?
[26:37.210 --> 26:40.510]  Your research here is on Node.js.
[26:40.510 --> 26:42.870]  But if somebody else wants to do vulnerability research,
[26:42.870 --> 26:46.410]  how should they go about starting that and choosing a target for that?
[26:46.830 --> 26:48.490]  Thanks for the question.
[26:50.230 --> 26:53.710]  I have been working on vulnerability research for a while.
[26:53.710 --> 27:02.270]  So my experience or my suggestion is that I can conclude two kinds of vulnerabilities
[27:02.270 --> 27:05.830]  that people may want to take a look at.
[27:05.830 --> 27:11.370]  So the first kind of vulnerability is like something in our talk.
[27:11.370 --> 27:13.670]  It's about some logic bugs.
[27:13.670 --> 27:18.270]  And people can find some ways to exploit those vulnerabilities
[27:18.270 --> 27:21.910]  and manipulate the program logics.
[27:21.910 --> 27:23.690]  So that's one direction.
[27:23.690 --> 27:36.810]  And usually it is hard to directly find those vulnerabilities
[27:36.810 --> 27:42.350]  without knowing the internal logics of the applications.
[27:42.550 --> 27:50.850]  And the second category of vulnerability finding can be in the binary vulnerabilities,
[27:50.850 --> 27:53.150]  which is something like memory corruption.
[27:53.470 --> 28:00.650]  And nowadays there's a lot of research using automatic tools like fuzzers to find those vulnerabilities.
[28:00.650 --> 28:06.210]  So those vulnerabilities actually, it is kind of a more easier job
[28:06.210 --> 28:11.790]  because there's already some well-established concepts and tools,
[28:11.790 --> 28:14.730]  such as AFL or something else.
[28:14.730 --> 28:19.270]  So maybe if you are new to the vulnerability finding,
[28:19.270 --> 28:23.210]  you may also take a look at those fuzzing things.
[28:23.210 --> 28:26.170]  So you may find some interesting results.
[28:26.470 --> 28:29.330]  In fact, vulnerabilities are everywhere, right?
[28:29.330 --> 28:34.350]  So if you use those fuzz, you can get some results.
[28:34.450 --> 28:35.490]  Excellent.
[28:36.030 --> 28:36.990]  All right.
[28:36.990 --> 28:39.310]  Looks like we're coming down to the end here.
[28:39.310 --> 28:40.550]  This has flown right by.
[28:40.550 --> 28:42.370]  We only got a couple minutes left with you.
[28:42.370 --> 28:45.650]  So if anybody else has any questions that they want to get into,
[28:45.650 --> 28:51.310]  put those on the TrackOneLive QA Discord channel.
[28:51.490 --> 28:52.490]  Yeah, are you going to...
[28:52.490 --> 28:56.550]  The question I would finish up with would be,
[28:56.550 --> 29:00.190]  do you have a call to action for those of us watching?
[29:00.190 --> 29:01.990]  Do you have something that,
[29:01.990 --> 29:05.130]  additional research you would like somebody else to look at
[29:05.130 --> 29:08.430]  that's tangentially related to what you work on?
[29:08.430 --> 29:14.830]  Or how would you point other folks who are interested in this subject
[29:14.830 --> 29:16.710]  towards more?
[29:17.350 --> 29:20.030]  You mean more in Node.js?
[29:21.250 --> 29:28.870]  Yes, or even specifically related to the attacks you have shown.
[29:29.870 --> 29:33.690]  Yeah, so for Node.js, I mean,
[29:33.690 --> 29:38.790]  there are some related attacks that people may be interested in looking at.
[29:38.790 --> 29:41.090]  So I can list it here.
[29:41.090 --> 29:43.970]  So, for example, product evolution.
[29:43.970 --> 29:46.470]  Yes, so you may want to take a look at it.
[29:46.470 --> 29:48.390]  And after you're looking at that,
[29:48.390 --> 29:53.370]  you may find that there are some connections or some differences between this and our talk.
[29:53.390 --> 29:56.180]  And after prototype pollutions,
[29:56.670 --> 30:06.730]  you may also want to take a look at some well-known denial-of-service attacks in Node.js.
[30:07.210 --> 30:11.470]  Denial-of-service attack is really a big issue for Node.js
[30:11.470 --> 30:15.810]  due to the single-thread event handling model.
[30:15.810 --> 30:19.750]  So if you search keywords like EOS or Node.js,
[30:19.750 --> 30:25.810]  you can find a lot of useful results about how people attack the Node.js applications.
[30:26.090 --> 30:30.730]  So that's kind of two research that I would like to mention here.
[30:31.410 --> 30:33.550]  I appreciate that. Thank you.
[30:33.550 --> 30:38.350]  So I really appreciate your willingness to come and, first off,
[30:38.350 --> 30:40.470]  give a presentation here at DEF CON.
[30:40.470 --> 30:45.610]  This is one of those community events that only happens because of the people like yourself
[30:45.610 --> 30:49.230]  who come out and do the research and do the presentations.
[30:49.230 --> 30:50.190]  So thank you very much.
[30:50.190 --> 30:54.730]  And thank you for being our guinea pig on our QA streaming here.
[30:54.730 --> 30:57.190]  If anybody has any additional questions,
[30:57.190 --> 31:01.170]  we can continue to attempt to get those over,
[31:01.170 --> 31:09.410]  or I would recommend looking at the Twitter account that I did link in the TrackOne channel.
[31:09.410 --> 31:12.350]  Otherwise, we will go ahead and wrap this up.
[31:12.350 --> 31:17.730]  Thank you everyone who had suggestions and considerations here,
[31:17.730 --> 31:19.450]  and we'll go ahead and sign off.
[31:19.450 --> 31:21.310]  So thank you all. Big wave.
[31:21.730 --> 31:22.130]  Thanks, Will.
[31:22.130 --> 31:22.750]  Thank you.
